EU adopts first-ever EU network code on cybersecurity for the electricity sector

The European Commission adopted the European Union’s first-ever network code on cybersecurity for the electricity sector.

The grid code will support a high, common level of cybersecurity for cross-border electricity flows in Europe, the commission said and added the act is an important step to improve the cyber resilience of critical EU energy infrastructure and services.

The code is foreseen under the Electricity Regulation (EU) 2019/943 and in the 2022 EU action plan to digitalize the energy system.

The network code aims to establish a recurrent process of cybersecurity risk assessments in the electricity sector. They are aimed at systematically identifying the entities that perform digitalized processes with a critical or high impact in cross-border electricity flows, their cybersecurity risks, and then the necessary mitigating measures.

The new rules will promote a common baseline

The code establishes a governance model that uses and is aligned with existing mechanisms established in horizontal EU legislation, notably the revised Network and Information Security Directive (NIS2), the commission said.

According to the EU’s executive arm, the new rules will promote a common baseline while respecting existing practices and investments as much as possible.

The new governance model can develop, follow and regularly review the methodologies of different stakeholders, taking into account the current mandates of different bodies in both the cybersecurity and electricity regulatory systems, the commissioners added.

The act has been adopted after an extensive consultation process

The act has been adopted after an extensive consultation process with relevant stakeholders, including contributions from ENTSO-E, EU DSO Entity and ACER. It included a four-week period for public feedback late last year.

The dossier now passes to the Council and European Parliament to scrutinize the text.

They each have a period of two months for objection to the secondary legislation, which can be extended by two months. The rules will enter into force once the period is over.